IT Policy

1. Definitions

a. MUET means Mehran University of Engineering & Technology.b. Employee means the entire people who are being employed by Mehran University of Engineering & Technology, including officers, teaching & nonteaching.c. Faculty Members means all the teaching staff of Mehran University of Engineering & Technology.d. Students mean all the students that are enrolled in University in any discipline and in any department, including Bachelors, Masters, Post-Graduate, M-Phil, and PhD.

2. IT POLICY

Mehran University acknowledges an obligation to ensure appropriate IT policy for all Information Technology data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the university.

IT policy is necessary for following reasons.

To pave the way for paperless communication.

Provide physical security for computers and IT equipments

Maximize availability of computers and network resources.

To secure computers and IT equipment from un-authorized access, hacking and Virus attacks by using centralized security policy

Confidentiality of Information

Efficient and Appropriate Use

2.1 Enforcement

Any employee or student found to have violated this policy may be subject to disciplinary action, up to and including termination of employment/admission. Legal action (if their action found to be illegal), and criminal liability (if their action is found to be criminal).

Teachers, employees desiring Data/Voice Point should send a written request to Director ICPC through their sectional/departmental head. Upon receipt of request, the Director would get a survey conducted and if feasible would request the higher authorities for the provision of Data/Voice connection. Upon approval, the Data/Voice connection would be installed if no financial implication is there. In case of financial implication beyond the allocated contingency of ICPC, it would be the responsibility of applicant’s sectional/departmental head to get the funds approved to meet the financial implication.

Request to access data points in the rooms of dormitories should also be addressed to the Director ICPC. The Director reserves the right to deny any such request based on student’s record, or based on any technical or non-technical reasons.

The request for dialout facility on PABX would similarly be addressed to Director ICPC through their departmental/sectional head. The Director would send the case to higher authorities for approval. Once approval is granted the dial out facility would be granted. The maximum limit of usage of dial out facility would be decided by the higher authorities.

B. User/Group Account Request

Teachers, students and Administration officer’s accounts will be in their department’s organizational unit (OU) under the MUET domain. These accounts can be officially used for intra and interdepartmental e-communication. All users are required to check their accounts for any possible mails at least once in 48 hours, whereas all sectional/departmental/faculty heads are required to check their e-mails at least once in 24 hours.

Any new appointment will request for account in MUET domain by through proper channel. The request is addressed to Director ICPC. The required group permissions and access rights be mentioned in the written request. All users have to change their passwords on 1st log on to domain.

Minimum password length for MUET users is 08 digits.

Users will get user id and password from respective department chairman.

In case of a group account (e.g. a class, research group, etc.), the request for account be forwarded by the class teacher, or by group leader through departmental/sectional head.

C. E-Mail Account Request

Any user/group that has account in MUET domain will also have MUET E-mail account. All employees are required to send their e-mails through the officially assigned MUET e-mail id.

All users will be able to access their e-mails from MUET Intranet as well as from remote site.

A user/group will be assigned only one email account. Every project/program executed by MUET will be allotted a public email address, which will be used for correspondence related to that project.

User Email accounts are private and confidential and strictly for use by the individual for Whom they are Created and the Individuals will be held responsible for any improper or unethical use of their account. The password for such accounts should, under no circumstances, be communicated to any other person. The user must change the initial/default password before starting to use the account and protect this password.

The default storage quota for email is 150 MB for teachers & officers and 50 MB for students. However, this quota can be increased in special circumstances with the approval of Director ICPC.

D. ICPC Support Procedure

ICPC is responsible for monitoring all network facilities like web usage, Centralized Folders usage, Email Quota limits etc. However, the ICPC staff will help solve problems upto the Access Switch (Department Switch) only. Problems beyond Access Switch viz. connectivity/software/hardware problems in individual machines or in laboratory machines, would be solved by the department/section resource persons. ICPC has already trained two resource persons in each department/section to handle day to day problems arising in users’ machines.

It is because it would be almost impossible for the limited staff of ICPC to handle day-to-day problems arising in hundreds of machines. ICPC has requested the higher authorities to appoint a Trainer exclusively for training purpose. The job of the trainer would be to conduct training sessions for those users who are not familiar with computer skills, and also those who encounter day to day problems related to installation of software, domain joining, e-communication, etc. Until such Trainer is appointed, the users should direct their queries to the department/section resource persons. ICPC center also maintains a Support center for central network complaints. ICPC personnel can be contacted on the following numbers:

The uploading of information on the MUET website would be through Director ICPC. The Director ICPC will instruct the webmaster or web developer to upload the desired content.

Information of all Exams and results of MUET must be published on the website.

All MUET advertisements sent for publishing in the newspaper must also be sent to the Webmaster for web publishing.

Information about research journals will be sent to webmaster for publishing.

All the material to be uploaded to the MUET website must be emailed to the web developer and addressed to Director ICPC at least 48 hours before it is to be posted on the website.

All website update requests will be served on first come first serve basis. Under special circumstances task priorities may be changed. Such a change will require an approval of Director ICPC.

The decision to post any unofficial item on news groups/forums would be decided by the Director ICPC or by any other ICPC employee nominated by the Director ICPC.

F. Intranet/Internet/Extranet/E-mail usage

The use of the MUET Intranet/Internet/Extranet provides benefits to all MUET users. Intranet/Internet/Extranet, however, are shared facilities and must be used properly. Choking of bandwidth by a single user can impact the work of hundreds of other users who are using the same, shared facility. Internet and email should not be used to access or disseminate illegal, defamatory, or potentially offensive information/content. Computer and network usage will be governed by the following policy:

Users should not exceed their allotted quota for saving data in centralized Folders.

Personal and Departments Centralized Storage folders are for official data only. No personal material should be stored in this area.

Playing Online Videos, Songs, and Games etc is strictly prohibited. Violations can lead to strict disciplinary action.

Internet usage must be for Education purposes only.

Only one machine should be connected to one Data Point, unless allowed by ICPC and higher authorities. Sharing an IP/MAC address or setting up of proxy servers for multiple users is strictly prohibited unless authorized by Director ICPC.

Peer to Peer file sharing / Download software like Kazza, Get right, Morphous, download accelerator, Flash get etc must not be downloaded.

Avoid sending and receiving *.Zip files. If receiving Zip file is necessary then scan it with installed anti virus before opening it.

Email should be checked and downloaded frequently. Unused accounts will be disabled.

MUET Email should be used for official purposes only. No objectionable material should be disseminated using MUET network/email resources.

All MUET computer users must respect the copyrights in the works that are accessible through MUET network. No copyrighted work may be copied, published, disseminated, displayed, performed, or played without permission of the copyright holder except in accordance with the fair use or licensed agreement.

The university authorities may charge users for the Internet/Intranet/Extranet/e-mail usage to cover the expenses incurred on ICPC. Income generated by such charges would go to the ICPC head only. No other section/department is authorized to charge/collect money for the Internet/Intranet/Extranet/e-mail usage.

ICPC may require identity of machines (e.g. MAC address) to allow or block access of machine to the Intranet. In case of violations of IT policy, or improper use of Intranet, ICPC may block any machine at any time without any prior notice.

G. Remote Access

Remote access policy applies to all MUET employees, faculty members, and students with a MUET-owned or personally-owned computer or workstation used to connect to the MUET network. This policy applies to remote access connections used to do work on behalf of MUET, including reading or sending email and viewing intranet web resources. Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.

It is the responsibility of MUET employees, faculty members, and students with remote access privileges to MUET's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to MUET.

The MUET employee is responsible to ensure the family member does not violate any MUET policies, does not perform illegal activities. The MUET employee bears responsibility for the consequences should the access is misused.

Secure remote access must be strictly controlled. Control will be enforced via password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the MUET Password Policy.

At no time should any MUET employee provide their login or email password to anyone, not even family members.

MUET employees, faculty members, and students with remote access privileges must ensure that their MUET-owned or personal computer or workstation, which is remotely connected to MUET's corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

MUET employees, faculty members, and students with remote access privileges to MUET's corporate network must not use non-MUET email accounts (i.e., Hotmail, Yahoo, gmail), or other external resources to conduct MUET business, thereby ensuring that official business is never confused with personal business.

Routers for dedicated ISDN lines configured for access to the MUET network must meet minimum authentication requirements of CHAP.

Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual homing is not permitted at any time.

Non-standard hardware configurations must be approved by Remote Access Services, and ICP Center must approve security configurations for access to hardware.

All hosts that are connected to MUET internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers.

Personal equipment that is used to connect to MUET's networks must meet the requirements of MUET-owned equipment for remote access.

Organizations or individuals who wish to implement non-standard Remote Access solutions to the MUET production network must obtain prior approval from Remote Access Services and ICP Center.

2.3 Security and Use of e-resources

Security can be defined as "the state of being free from unacceptable risk". The risk concerns the following categories of losses:

Confidentiality of Information.

Integrity of data.

Assets.

Efficient and Appropriate Use.

System Availability.

The assets that must be protected include:

Computer and Peripheral Equipment.

Communications Equipment including PABX.

Computing and Communications Premises.

Power, Water, Environmental Control, and Communications utilities.

Supplies and Data Storage Media.

System Computer Programs and Documentation.

Application Computer Programs and Documentation.

Information.

2.3.1 General Use and Ownership

While MUET's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of MUET. Because of the need to protect MUET's network, management cannot guarantee the confidentiality of information stored on any network device belonging to MUET.

Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning.

Personal use of Internet/Intranet/Extranet/PABX systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their superiors.

Those users who are provided dial out facility on PABX line are responsible for the proper usage of their line. They must set an access code on their PABX line to avoid any misuse of the dial out facility.

For security and network maintenance purposes, authorized individuals within MUET may monitor equipment, systems and network traffic at any time.

MUET reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

2.3.2 Security and Proprietary Information

Any loss or theft of IT equipment must be immediately reported to the higher authorities.

Password is a unique key of an individual user to access MUET computing resources. It is vital to choose a password that is hard for others to guess and guard it carefully. It is preferable to use a password of minimum 8 characters that include both alphabets and numbers. Users must change their computer\Email login password frequently and should hide and write passwords in secure places.

Default password expiry duration is 60 days so password will be expired after this duration. Expiry alert starts generating warnings 10 days before expiration. It is recommended to change the password before expiration to ensure security and confidentiality

For security purposes a user is allowed only five chances to properly login to the network. If wrong password is supplied five times a user’s account is disabled. If the account is disabled the user may contact Network Administrator to enable the account.

If a user forgets His/Her password, contact the Network Administrator for password reset. A user cannot ask System Administrator to reset password of any other user. The network administrator may ask any proof for the ownership of the account.

Users are not allowed to Login on any other user’s computer without their permission.

Users must protect their computers and the MUET network from computer viruses. All computer users must ensure that antivirus software is installed on their computer and that virus protection is enabled. No user should disable virus protection nor must antivirus software be prevented from scanning system files.All media, email, and internet downloads must be scanned for viruses.

ICP Center has configured every computer on the network to get automatic updates of antivirus software. Every user must make sure that this facility is available on their computer for the protection of their machine.

Be careful in opening emails if you do not recognize the sender.

Users must report any suspicion of virus attacks immediately to ICP center.

It is the responsibility of each computer user to protect all sensitive information of MUET.Users must refrain from unnecessary sharing of files and folders as this may put sensitive data at risk.

Users may not test or implement any products known to compromise the confidentiality, availability or integrity of MUET resources, data and information. It is illegal to possess, distribute, use or reproduce programs for scanning networks (such as tools used as packet sniffers, hacking, key logger etc).

The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential. Examples of confidential information include but are not limited to: examinations material (e.g. question papers, award list, etc.) university private, corporate strategies, competitor sensitive, trade secrets, specifications, lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information.

Postings by employees from a MUET email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of MUET, unless posting is in the course of business duties.

All hosts used by the employee that are connected to the MUET Internet/Intranet/Extranet, whether owned by the employee or MUET, shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy.

Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

2.3.3 Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting services).

Under no circumstances is an employee of MUET authorized to engage in any activity that is illegal under local, provincial, federal or international law while utilizing MUET-owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the unacceptable use.

Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by MUET.

Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

Using a MUET computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.

Making fraudulent offers of products, items, or services originating from any MUET account.

Making statements about warranty, expressly or implied, unless it is a part of normal job duties.

Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.

Circumventing user authentication or security of any host, network or account.

Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).

Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.

Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).

Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.

Unauthorized use, or forging, of email header information.

Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.

Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.

Use of unsolicited email originating from within MUET's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by MUET or connected via MUET's network.

Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

Using some one else telephone line without permission for dialing out any number.